Phishing net behaving strangely

Julian Field MailScanner at ecs.soton.ac.uk
Fri Apr 8 16:51:52 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Denis Beauchemin wrote:

> Denis Beauchemin wrote:
>
>> Hello,
>>
>> I am testing the phishing net for the first time.  I use MS 4.40.11
>> on a brand new machine.  Language.conf contains:
>> PossibleFraudStart = <font color="red"><b>MailScanner
>> soup&ccedil;onne le lien
>> PossibleFraudEnd = d'&ecirc;tre une tentative de fraude de la part
>> de</b></font>
>>
>> Here is what I sent to test (I added some underscores to make sure my
>> message would not be trapped again):
>> <a href="http_:_//_132_._210_._0_._0/">bad tag</a><br>
>>
>> Here is what I got:
>> <a href="http_:_//_132_._210_._0_._0/"><font
>> color="red"><b>MailScanner soup&ccedil;onne le lien "132.210.244.102"
>> d'&ecirc;tre une tentative de fraude de la part de</b></font> pas le
>> bon</a><br>
>>
>> Which makes MS' message appear as a link.  The message translates to:
>> MS believes the link "132.210.0.0" to be a phishing fraud attempt
>> from bad tag.
>>
>> Is this normal behaviour?
>>
> I just tried it again after changing MS' setup to English and the
> results are the same: MS' warning is inside the link...  so I guess it
> is normal behaviour...

The idea is to leave the link active, but make the warning message part
of the link. So if it is a false alarm, they can still easily click on
the link. They have to be made aware that what they are doing is
potentially dangerous, but I don't (and shouldn't) actually stop them
being able to follow the link.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list